Total
3945 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-37442 | 1 Ays-pro | 1 Photo Gallery | 2024-11-21 | N/A | 3.8 LOW |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Photo Gallery Team Photo Gallery by Ays allows Code Injection.This issue affects Photo Gallery by Ays: from n/a before 5.7.1. | |||||
| CVE-2024-36420 | 1 Flowiseai | 1 Flowise | 2024-11-21 | N/A | 7.5 HIGH |
| Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available. | |||||
| CVE-2024-35777 | 2024-11-21 | N/A | 3.5 LOW | ||
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2. | |||||
| CVE-2024-35728 | 1 Themeisle | 1 Product Addons \& Fields For Woocommerce | 2024-11-21 | N/A | 5.3 MEDIUM |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Themeisle PPOM for WooCommerce allows Code Inclusion.This issue affects PPOM for WooCommerce: from n/a through 32.0.20. | |||||
| CVE-2024-35680 | 1 Yithemes | 1 Yith Woocommerce Product Add-ons | 2024-11-21 | N/A | 5.3 MEDIUM |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Code Injection.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.9.2. | |||||
| CVE-2024-34919 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| An arbitrary file upload vulnerability in the component \modstudent\controller.php of Pisay Online E-Learning System using PHP/MySQL v1.0 allows attackers to execute arbitrary code via uploading a crafted file. | |||||
| CVE-2024-34062 | 2024-11-21 | N/A | 4.8 MEDIUM | ||
| tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-32986 | 2024-11-21 | N/A | 9.6 CRITICAL | ||
| PWAsForFirefox is a tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox. Due to improper sanitization of web app properties (such as name, description, shortcuts), web apps were able to inject additional lines into XDG Desktop Entries (on Linux) and `AppInfo.ini` (on PortableApps.com). This allowed malicious web apps to introduce keys like `Exec`, which could run arbitrary code when the affected web app was launched. This vulnerability affects all Linux and PortableApps.com users of all PWAsForFirefox versions up to (excluding) 2.12.0. Windows and macOS users are not affected. This vulnerability has been fixed in commit `9932d4b` which has been included in release in v2.12.0. The main fix is implemented in the native part, but the extension also contains additional fixes. All Linux and PortableApps.com users are advised to update to this version as soon as possible. It is also recommended for Windows and macOS users to update to this version, as it contains additional fixes related to properties sanitization. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-23828 | 1 Nginxui | 1 Nginx Ui | 2024-11-21 | N/A | 8.8 HIGH |
| Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to an authenticated arbitrary command execution via CRLF attack when changing the value of test_config_cmd or start_cmd. This vulnerability exists due to an incomplete fix for CVE-2024-22197 and CVE-2024-22198. This vulnerability has been patched in version 2.0.0.beta.12. | |||||
| CVE-2024-23648 | 1 Pimcore | 1 Admin Classic Bundle | 2024-11-21 | N/A | 8.8 HIGH |
| Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user's password. Prior to version 1.2.3, the reset-password URL is crafted using the "Host" HTTP header of the request sent to request a password reset. This way, an external attacker could send password requests for users, but specify a "Host" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover. Version 1.2.3 fixes this issue. | |||||
| CVE-2024-22319 | 1 Ibm | 1 Operational Decision Manager | 2024-11-21 | N/A | 8.1 HIGH |
| IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, 8.11.1 and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145. | |||||
| CVE-2024-21900 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2024-11-21 | N/A | 4.3 MEDIUM |
| An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later | |||||
| CVE-2024-21645 | 1 Pyload | 1 Pyload | 2024-11-21 | N/A | 5.3 MEDIUM |
| pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77. | |||||
| CVE-2024-21623 | 1 Mehah | 1 Otclient | 2024-11-21 | N/A | 9.8 CRITICAL |
| OTCLient is an alternative tibia client for otserv. Prior to commit db560de0b56476c87a2f967466407939196dd254, the /mehah/otclient "`Analysis - SonarCloud`" workflow is vulnerable to an expression injection in Actions, allowing an attacker to run commands remotely on the runner, leak secrets, and alter the repository using this workflow. Commit db560de0b56476c87a2f967466407939196dd254 contains a fix for this issue. | |||||
| CVE-2024-0552 | 1 Intumit | 2 Smartrobot, Smartrobot Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| Intumit inc. SmartRobot's web framwork has a remote code execution vulnerability. An unauthorized remote attacker can exploit this vulnerability to execute arbitrary commands on the remote server. | |||||
| CVE-2024-0231 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 2.7 LOW |
| A resource misdirection vulnerability in GitLab CE/EE versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows an attacker to craft a repository import in such a way as to misdirect commits. | |||||
| CVE-2023-7114 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 7.1 HIGH |
| Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server. | |||||
| CVE-2023-7039 | 1 Byzoro | 2 Smart S210, Smart S210 Firmware | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in Byzoro S210 up to 20231210. Affected is an unknown function of the file /importexport.php. The manipulation of the argument sql leads to injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-248688. | |||||
| CVE-2023-6458 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | N/A | 7.1 HIGH |
| Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. | |||||
| CVE-2023-6174 | 2 Debian, Wireshark | 2 Debian Linux, Wireshark | 2024-11-21 | N/A | 6.3 MEDIUM |
| SSH dissector crash in Wireshark 4.0.0 to 4.0.10 allows denial of service via packet injection or crafted capture file | |||||